Thanks Pjain, I think I

appserv · ‎09-27-2015

Hi there,

We just have a issue on our VPN hub after a short internet outage. our site to site VPN hub is setup on a pear of cisco 3925 router. after outage we notice 3 remote site can not connect to our data centre anymore.

we have verified the phase 1 negotiation work ok. and looks like the phase 2 IPsec have got stack. no matter how we try clear the crypto isakmp sa. It still not helping. I also can not find any command to clear the IPSEC SA.

protected vrf: VRF_VPN
local ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.210.0/255.255.255.0/0/0)
current_peer <remote IP> port 500
PERMIT, flags={}
#pkts encaps: 481619, #pkts encrypt: 481619, #pkts digest: 481619
#pkts decaps: 780905, #pkts decrypt: 780905, #pkts verify: 780905
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: <Local IP>, remote crypto endpt.: 210.86.1.51
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.12
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local crypto endpt.: <local IP>, remote crypto endpt.: <remote IP>
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.12
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

when we turn on debugging we see log below

8958079: Sep 28 16:54:46.590 NZDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
8958080: Sep 28 16:54:47.382 NZDT: IPSEC(validate_proposal_request): proposal part #1
8958081: Sep 28 16:54:47.382 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <Local IP>:0, remote= <remote IP>:0,
local_proxy= 172.16.0.0/255.240.0.0/256/0,
remote_proxy= 192.168.210.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
8958082: Sep 28 16:54:47.386 NZDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
IRERX017#
8958083: Sep 28 16:54:47.386 NZDT: IPSEC(crypto_ipsec_create_ipsec_sas): Map found VPN
IRERX017#
8958084: Sep 28 16:54:54.998 NZDT: IPSEC(validate_proposal_request): proposal part #1
8958085: Sep 28 16:54:54.998 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <Local IP>:0, remote= <remote ip>:0,
local_proxy= 10.0.0.0/255.0.0.0/256/0,
remote_proxy= 192.168.210.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Does anyone see similar issue before. thanks in advance.

pjain2 · ‎09-27-2015

the phase 2 is not up as there are no SA's formed; the counters will still show up in show crypto ipsec sa output.

to clear the counters, you can run the following command: clear crypto sa counters

please attach the complete output of the phase 2 debugs.

appserv · ‎09-28-2015

Thanks Pjain,

I think I resort the issue now. I have to remove the crypto map and readd it to the interface. all remote VPN are working after that.

Thanks for the reply.

Peter Koltl · ‎10-01-2015

The command is

clear crypto ipsec sa peer a.b.c.d

site to site IPSEC SA stuck can not clear.